Suru

Suru is a man-in-the-middle (MITM) proxy that sits between the user's browser
and the web application. It was written in the early days of web application
hacking and has since been deprecated in favour of more modern tools. The
source is available for download. It receives all the requests made by the
browser and records it. The requests can be modified in any way and replayed.
Suru not only catches requests that were made by the user, but also requests
that use the IE object, such as rich applications using web services, MSN ads,
Google Earth requests, application auto-updates etc. The proxy understands
multipart POSTs (MPPs) and XML POSTs (used for web services).

Web application fuzzer

Suru gives the analyst the ability to fuzz any part of the HTTP request. This
obviously includes GET and POST parameters, but can also be extended to
Host:-fields, Content-length: etc. The analyst can choose to fuzz any point
of the HTTP request header or body. These Fuzz control points can be fuzzed
with any value - and Suru includes some sample fuzz strings by default. After
fuzzing, the analyst can choose to "auto group" the responses. This means that
the application will compare the response to a base response (similar to what
CrowBar does) and automatically group the responses according to its difference
to the base response. In simple terms, that means that Suru will tell you how
many different responses were received, with slightly different responses (e.g.
when the response only differ by one character) grouped together. The analyst
has the ability to set the tolerance of this grouper and the granularity of the
grouping.

Reconnaissance engine

The SensePost Suru web proxy has the ability to perform the same type of
"back-end" functionality as Wikto has. But it goes
one step further: As you browse, Suru automatically detects when a new
directory is used (e.g. when the user surfed to http://abc_corp/abc/ the
directory /abc/ is automatically searched). This means that, as the analyst
is surfing the application, Suru will learn more and more about the application
and perform more in-depth discovery of the site. This smart discovery
includes functionality like automatically searching a known file name with all
extensions (nice for finding abc_corp_login.old), and using known directory
names in future searches (e.g. when /abc/ was found it would search future
directories also for /abc/ - thereby also finding /cgi-bin/abc/
automatically).

Ease of use

Suru was written in-house by SensePost. We perform hundreds of web
application assessments every year and Suru is thus a web proxy written by
people that use web proxies every day. Some of our favourite features
include: The ability to save and load sessions.

Requests that were edited are marked so you can easily distinguish them from
normal requests.

There is Search and Replace on both outgoing and incoming streams (with the
ability to also change binary streams).